1
0
mirror of https://github.com/django/django.git synced 2025-10-25 14:46:09 +00:00

Fixed #8049 -- Fixed inconsistency in admin site is_active checks. Thanks for patch and tests, isagalaev

git-svn-id: http://code.djangoproject.com/svn/django/trunk@12159 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty
2010-01-10 16:51:13 +00:00
parent b651bcb80b
commit 19b72077f7
8 changed files with 29 additions and 6 deletions

View File

@@ -139,7 +139,7 @@ class AdminSite(object):
Returns True if the given HttpRequest has permission to view Returns True if the given HttpRequest has permission to view
*at least one* page in the admin site. *at least one* page in the admin site.
""" """
return request.user.is_staff return request.user.is_active and request.user.is_staff
def check_dependencies(self): def check_dependencies(self):
""" """

View File

@@ -22,7 +22,7 @@
<div id="branding"> <div id="branding">
{% block branding %}{% endblock %} {% block branding %}{% endblock %}
</div> </div>
{% if user.is_staff %} {% if user.is_active and user.is_staff %}
<div id="user-tools"> <div id="user-tools">
{% trans 'Welcome,' %} {% trans 'Welcome,' %}
<strong>{% firstof user.first_name user.username %}</strong>. <strong>{% firstof user.first_name user.username %}</strong>.

View File

@@ -28,7 +28,7 @@ def staff_member_required(view_func):
member, displaying the login page if necessary. member, displaying the login page if necessary.
""" """
def _checklogin(request, *args, **kwargs): def _checklogin(request, *args, **kwargs):
if request.user.is_staff: if request.user.is_active and request.user.is_staff:
# The user is valid. Continue to the admin page. # The user is valid. Continue to the admin page.
return view_func(request, *args, **kwargs) return view_func(request, *args, **kwargs)

View File

@@ -29,6 +29,11 @@ class BackendTest(TestCase):
user.is_superuser = False user.is_superuser = False
user.save() user.save()
self.assertEqual(user.has_perm('auth.test'), False) self.assertEqual(user.has_perm('auth.test'), False)
user.is_staff = True
user.is_superuser = True
user.is_active = False
user.save()
self.assertEqual(user.has_perm('auth.test'), False)
def test_custom_perms(self): def test_custom_perms(self):
user = User.objects.get(username='test') user = User.objects.get(username='test')

View File

@@ -18,7 +18,7 @@ def populate_xheaders(request, response, model, object_id):
""" """
from django.conf import settings from django.conf import settings
if (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS if (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS
or (hasattr(request, 'user') and request.user.is_authenticated() or (hasattr(request, 'user') and request.user.is_active
and request.user.is_staff)): and request.user.is_staff)):
response['X-Object-Type'] = "%s.%s" % (model._meta.app_label, model._meta.object_name.lower()) response['X-Object-Type'] = "%s.%s" % (model._meta.app_label, model._meta.object_name.lower())
response['X-Object-Id'] = str(object_id) response['X-Object-Id'] = str(object_id)

View File

@@ -12,7 +12,8 @@ class XViewMiddleware(object):
indicating the view function. This is used by the documentation module indicating the view function. This is used by the documentation module
to lookup the view function for an arbitrary page. to lookup the view function for an arbitrary page.
""" """
if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or request.user.is_staff): if request.method == 'HEAD' and (request.META.get('REMOTE_ADDR') in settings.INTERNAL_IPS or
(request.user.is_active and request.user.is_staff)):
response = http.HttpResponse() response = http.HttpResponse()
response['X-View'] = "%s.%s" % (view_func.__module__, view_func.__name__) response['X-View'] = "%s.%s" % (view_func.__module__, view_func.__name__)
return response return response

View File

@@ -602,6 +602,20 @@ class AdminViewPermissionsTest(TestCase):
self.failUnlessEqual(logged.object_id, u'1') self.failUnlessEqual(logged.object_id, u'1')
self.client.get('/test_admin/admin/logout/') self.client.get('/test_admin/admin/logout/')
def testDisabledPermissionsWhenLoggedIn(self):
self.client.login(username='super', password='secret')
superuser = User.objects.get(username='super')
superuser.is_active = False
superuser.save()
response = self.client.get('/test_admin/admin/')
self.assertContains(response, 'id="login-form"')
self.assertNotContains(response, 'Log out')
response = self.client.get('/test_admin/admin/secure-view/')
open('/home/maniac/Desktop/response.html', 'w').write(response.content)
self.assertContains(response, 'id="login-form"')
class AdminViewStringPrimaryKeyTest(TestCase): class AdminViewStringPrimaryKeyTest(TestCase):
fixtures = ['admin-views-users.xml', 'string-primary-key.xml'] fixtures = ['admin-views-users.xml', 'string-primary-key.xml']

View File

@@ -35,4 +35,7 @@ urlpatterns = patterns('',
# conditional get views # conditional get views
(r'condition/', include('regressiontests.conditional_processing.urls')), (r'condition/', include('regressiontests.conditional_processing.urls')),
# special headers views
(r'special_headers/', include('regressiontests.special_headers.urls')),
) )